Privacy Policy
- We collect only the data necessary to provide and improve our CRM service.
- Your data is encrypted in transit and at rest; access is role-based and logged.
- We never sell your personal data. We share it only with essential service providers under strict contracts.
- You can access, export, correct, or delete your data at any time — see the DSR section.
- We comply with GDPR, India DPDP Act 2023, and CCPA/CPRA principles.
- Questions? Contact our DPO at [dpo@company.com].
1 Introduction
[Company Name] ("Company," "we," "us," or "our") operates a customer relationship management (CRM) platform (the "Service"). This Privacy Policy describes how we collect, use, store, share, and protect personal data when you interact with our Service — whether via web, mobile applications, or API integrations.
By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you are using the Service on behalf of an organization, you represent that you have the authority to bind that organization to these terms.
2 Definitions
- Personal Data: Any information that identifies or can be used to identify a natural person, directly or indirectly.
- Data Principal / Data Subject: The individual to whom the personal data relates.
- Data Fiduciary / Data Controller: The entity (the Company) that determines the purposes and means of processing personal data.
- Data Processor: A third party that processes personal data on behalf of the Data Controller.
- Tenant: An organizational account within the CRM, managed by one or more tenant administrators.
- CRM Records: Customer, lead, contact, and interaction data stored within a Tenant's workspace.
- Sub-Processor: A third-party service engaged by us to assist in processing personal data.
3 Data We Collect
3.1 Data You Provide Directly
- Account Information: Name, email address, phone number, organization name, job title, and credentials (hashed passwords).
- CRM Records: Contact details, communication logs, notes, tasks, deal/pipeline data, and any custom fields created by the tenant.
- Support Communications: Messages, attachments, and metadata you send to our support channels.
- Billing Information: If applicable, payment method details (processed and stored by our PCI-compliant payment processor; we do not store full card numbers).
3.2 Data Collected Automatically
- Device & Browser Data: IP address, browser type and version, operating system, device identifiers, and screen resolution.
- Usage Data: Pages visited, features used, timestamps, click paths, and session duration.
- Log Data: Server access logs, error logs, and API call metadata.
- Cookies & Similar Technologies: See Section 15.
3.3 Data from Third Parties
- Integration Partners: If you connect third-party services (e.g., email providers, calendar apps), we may receive contact and communication data as configured by you.
- Public Sources: Business contact information from publicly available directories, solely for data enrichment where permitted.
4 Legal Bases for Processing
We process personal data under the following lawful bases, as applicable under GDPR and similar frameworks:
| Legal Basis | Examples |
|---|---|
| Consent | Marketing communications, optional analytics cookies, newsletter subscriptions. |
| Contractual Necessity | Providing the CRM Service, account creation, processing transactions, and delivering support. |
| Legitimate Interests | Improving the Service, preventing fraud, security monitoring, and aggregated analytics. |
| Legal Obligation | Tax reporting, responding to valid legal requests, regulatory compliance. |
Where consent is the basis, you may withdraw it at any time without affecting the lawfulness of prior processing.
5 Purpose of Processing
- Service Delivery: Operating, maintaining, and improving the CRM platform.
- Authentication & Security: Verifying identity, managing sessions, and detecting unauthorized access.
- Communication: Sending transactional emails (e.g., password resets, account notifications) and, with consent, marketing materials.
- Analytics & Improvement: Understanding usage patterns to enhance features and user experience.
- Legal Compliance: Meeting regulatory obligations and responding to lawful requests.
- Billing & Invoicing: Processing payments and maintaining financial records (if applicable).
6 Data Sharing & Disclosure
We do not sell your personal data. We share data only in the following circumstances:
- Service Providers / Sub-Processors: Trusted third parties that help us operate the Service (hosting, email delivery, analytics) — under strict data processing agreements.
- Within Your Organization: Tenant administrators and authorized staff within your organization can access CRM records per role-based permissions.
- Legal Requirements: When required by law, subpoena, court order, or governmental regulation.
- Business Transfers: In connection with a merger, acquisition, or sale of assets, subject to equivalent privacy protections.
- With Your Consent: When you explicitly authorize sharing with a specific third party.
7 Sub-Processors
We engage the following categories of sub-processors. An up-to-date list is available upon request to our DPO.
| Category | Purpose | Location |
|---|---|---|
| Cloud Infrastructure | Hosting, storage, compute | [Region/Country] |
| Email Delivery | Transactional & marketing emails | [Region/Country] |
| SMS Gateway | OTP & notification delivery | [Region/Country] |
| Payment Processor | Subscription billing | [Region/Country] |
| Analytics Provider | Usage analytics & crash reporting | [Region/Country] |
| Support Platform | Helpdesk & ticket management | [Region/Country] |
All sub-processors are bound by Data Processing Agreements (DPAs) that require equivalent or higher data protection standards.
8 Cross-Border Data Transfers
Your personal data may be transferred to and processed in countries other than your country of residence. We ensure adequate safeguards through:
- Standard Contractual Clauses (SCCs): EU-approved contractual protections for transfers outside the EEA.
- Adequacy Decisions: Where the destination country is recognized as providing adequate protection by the relevant authority.
- Binding Corporate Rules: Where applicable, intra-group transfer frameworks.
- Consent: Where no other mechanism applies and you provide explicit, informed consent.
For transfers involving Indian personal data, we comply with applicable requirements under the DPDP Act, 2023, including any restrictions on transfers to jurisdictions not approved by the Indian government.
9 Data Retention & Deletion
| Data Category | Retention Period | Post-Retention Action |
|---|---|---|
| Account & profile data | Duration of account + 90 days after deletion request | Anonymized or deleted |
| CRM records | Duration of tenant subscription + 30 days grace | Permanently deleted |
| Transactional emails / logs | 12 months | Auto-purged |
| Server / access logs | 6 months | Auto-purged |
| Billing records | As required by applicable tax law (typically 5–7 years) | Archived securely, then deleted |
| Backup copies | 30 days rolling window | Overwritten automatically |
Restoration Window: If you request account or data deletion, a 30-day restoration window is available during which you may contact support to reverse the deletion. After this window, deletion is irreversible.
Backup Copies: Deleted data may persist in encrypted backups for up to 30 days before automatic overwriting. Backup data is not used for any purpose other than disaster recovery.
10 Security Measures
We implement industry-standard technical and organizational measures to protect your data:
- Encryption in Transit: All data transmitted between your device and our servers is protected using TLS 1.2 or higher.
- Encryption at Rest: Sensitive data is encrypted at rest using AES-256 (or equivalent).
- Access Control: Role-based access control (RBAC) ensures staff and administrators access only data necessary for their function.
- Least Privilege: Internal access to production systems follows the principle of least privilege, with regular access reviews.
- Audit Logs: All access to CRM records and administrative actions are logged with user identity, timestamp, and action performed.
- Credential Security: Passwords are hashed using strong one-way algorithms. We support and encourage multi-factor authentication.
- Incident Response: We maintain a documented incident response plan with defined escalation procedures, roles, and timelines.
- Vulnerability Management: Regular security assessments, dependency monitoring, and timely patching.
11 Your Rights
Depending on your jurisdiction, you may have some or all of the following rights:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate or incomplete data.
- Erasure ("Right to be Forgotten"): Request deletion of your data, subject to legal retention requirements.
- Data Portability: Receive your data in a structured, commonly used, machine-readable format (e.g., CSV, JSON).
- Restriction: Request that we limit processing of your data in certain circumstances.
- Object: Object to processing based on legitimate interests, including profiling.
- Withdraw Consent: Where processing is based on consent, withdraw at any time.
- Lodge a Complaint: File a complaint with your local data protection authority.
- Non-Discrimination: Exercise your rights without receiving discriminatory treatment.
12 Data Subject Request (DSR) Workflow
To exercise any of the rights described above:
- Submit a Request: Email [privacy@company.com] with the subject line "Data Subject Request — [Your Request Type]" or use the in-app DSR form (if available).
- Identity Verification: We will verify your identity within 3 business days using your registered email or additional verification if needed.
- Acknowledgement: You will receive an acknowledgement within 5 business days of verification.
- Processing: We will fulfill your request within 30 calendar days. If an extension is required (up to 60 additional days for complex requests), we will notify you with reasons.
- Delivery: Data exports are provided in CSV or JSON format via a secure, time-limited download link.
- Deletion Confirmation: For erasure requests, we provide written confirmation once deletion is complete, including the 30-day restoration window notice.
13 US / CCPA / CPRA Disclosures
If you are a California resident, the following additional disclosures apply under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Categories of PI Collected: Identifiers, commercial information, internet/electronic activity, professional information, and inferences.
- Sale / Sharing: We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
- Right to Know: You may request the categories and specific pieces of personal information collected about you in the preceding 12 months.
- Right to Delete: You may request deletion of your personal information, subject to legal exceptions.
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt-Out: Since we do not sell or share PI, no opt-out mechanism is required; however, we provide one as a best practice.
- Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
- Authorized Agent: You may designate an authorized agent to make requests on your behalf with proper verification.
14 India DPDP Act, 2023 Compliance
For users in India, we comply with the Digital Personal Data Protection Act, 2023, including:
- Consent: We obtain clear, informed, and specific consent before processing your personal data. Consent is freely given, and you may withdraw it at any time via your account settings or by contacting us.
- Purpose Limitation: Personal data is collected only for specified, lawful purposes disclosed to you at the time of collection.
- Data Minimization: We collect only data that is necessary and adequate for the stated purpose.
- Accuracy: We take reasonable steps to ensure personal data is accurate and up to date. You may request rectification at any time.
- Storage Limitation: Personal data is retained only for as long as necessary for the purpose for which it was collected. See Section 9 for specific timelines.
- Data Principal Rights: You have the right to access, correct, and erase your personal data as described in Section 11.
- Grievance Redressal: See Section 23 for our grievance process.
Significant Data Fiduciary: If classified as a Significant Data Fiduciary, we will appoint a Data Protection Officer based in India, conduct periodic Data Protection Impact Assessments, and undergo independent audits as required.
15 Cookies & Tracking Technologies
We use cookies and similar technologies to improve your experience. You can manage preferences through our cookie banner or your browser settings.
Cookie Categories
| Category | Purpose | Examples | Duration | Consent |
|---|---|---|---|---|
| Strictly Necessary | Authentication, security, load balancing | Session ID, CSRF token | Session | Not required |
| Functional | User preferences, theme selection, language | Theme cookie, locale cookie | 1 year | Opt-in |
| Analytics | Usage statistics, feature adoption | [Analytics Provider] cookies | Up to 2 years | Opt-in |
| Advertising | Targeted ads, campaign measurement | [Ad Provider] (if any) | Varies | Opt-in |
For a comprehensive cookie inventory, visit our [/legal/cookies] page.
16 Do-Not-Track Signals
We respect browser Do-Not-Track (DNT) signals. When we detect a DNT signal, we disable non-essential analytics and advertising cookies for that session. Note that strictly necessary cookies remain active as they are required for the Service to function.
17 Analytics
We may use analytics tools to understand how users interact with the Service. Analytics data is aggregated and anonymized wherever possible. Where personal data is involved, processing is based on your consent (where required) or our legitimate interest in improving the Service.
You may opt out of analytics tracking through our cookie consent manager, browser settings, or the relevant provider's opt-out tool.
18 Children's Data
The Service is not directed to individuals under the age of 18 (or the applicable age of majority in your jurisdiction). We do not knowingly collect personal data from children. If we discover that we have inadvertently collected data from a child, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at [privacy@company.com].
19 Mobile Applications
If you access the Service through our mobile applications (iOS / Android), the following additional terms apply:
- Device Permissions: We request only necessary permissions (e.g., camera for QR scanning, contacts for CRM import — each with your explicit consent).
- Push Notifications: You may enable or disable push notifications at any time via your device settings.
- Local Storage: The app may cache data locally for offline access. This data is encrypted and cleared upon logout.
- App Store Terms: Your use of the mobile app is also subject to the terms of Apple's App Store or Google Play Store, as applicable.
- Automatic Updates: App updates may modify data collection practices; updated policies will be communicated as described in Section 24.
20 Third-Party Integrations
The Service supports integrations with third-party platforms (e.g., email providers, SMS gateways, payment processors, calendar services). When you enable an integration:
- We share only the data necessary for the integration to function.
- Data shared with third parties is governed by their respective privacy policies.
- You may disconnect integrations at any time via your account settings, which stops future data sharing (previously shared data is subject to the third party's retention policy).
- We are not responsible for the privacy practices of third-party services; we encourage you to review their policies.
21 Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:
- We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR).
- We will notify affected individuals without undue delay if the breach poses a high risk, providing details of the breach, data affected, measures taken, and recommended protective actions.
- Notifications will be sent via email to the address associated with your account, and — for significant incidents — via a notice on our website.
- We will cooperate with relevant authorities and provide periodic updates until the incident is resolved.
22 Contact Information & Data Protection Officer
| Role | Details |
|---|---|
| Company | [Company Legal Name] [Registered Address] |
| Privacy / General Inquiries | [privacy@company.com] |
| Data Protection Officer (DPO) | [DPO Name] [dpo@company.com] |
| Support | [support@company.com] |
23 Grievance Redressal (India DPDP Act)
In compliance with the Digital Personal Data Protection Act, 2023 of India, we have appointed a Grievance Officer to address your concerns:
| Grievance Officer | [Grievance Officer Name] |
| [grievance@company.com] | |
| Postal Address | [Registered Address, India] |
| Response Timeline | Acknowledgement within 48 hours; resolution within 15 business days |
If you are not satisfied with our resolution, you may escalate your complaint to the Data Protection Board of India as established under the DPDP Act, 2023.
24 Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes:
- Material Changes: We will notify you via email and/or a prominent notice on the Service at least 30 days before the changes take effect.
- Minor Changes: Non-material changes (e.g., formatting, clarification) may be made without advance notice but will be reflected in the "Last Updated" date.
- Version History: We maintain a versioned change log of this policy, accessible upon request.
- Continued Use: Your continued use of the Service after the effective date of changes constitutes acceptance. If you disagree, you should discontinue use and request data deletion.